How Much Surveillance Can Democracy Withstand?

A version of this article was first published in Wired
in October 2013.

“How did they find out I'm a dog?”

Thanks to Edward Snowden's disclosures, we know that the current
level of general surveillance in society is incompatible with human
rights. The repeated harassment and prosecution of dissidents,
sources, and journalists in the US and elsewhere provides
confirmation. We need to reduce the level of general surveillance,
but how far? Where exactly is the
maximum tolerable level of surveillance, which we must ensure
is not exceeded? It is the level beyond which surveillance starts to
interfere with the functioning of democracy, in that whistleblowers
(such as Snowden) are likely to be caught.

Faced with government secrecy, we the people depend on
whistleblowers
to tell
us what the state is doing. However, today's surveillance
intimidates potential whistleblowers, which means it is too much. To
recover our democratic control over the state, we must reduce
surveillance to the point where whistleblowers know they are safe.

The Upper Limit on Surveillance in a Democracy

If whistleblowers don't dare reveal crimes and lies, we lose the
last shred of effective control over our government and institutions.
That's why surveillance that enables the state to find out who has
talked with a reporter is too much surveillance—too much for
democracy to endure.

Opposition and dissident activities need to keep secrets from
states that are willing to play dirty tricks on them. The ACLU has
demonstrated the U.S. government's systematic
practice of infiltrating peaceful dissident groups on the pretext
that there might be terrorists among them. The point at which
surveillance is too much is the point at which the state can find who
spoke to a known journalist or a known dissident.

Information, Once Collected, Will Be Misused

When people recognize
that the level of general surveillance is too
high, the first response is to propose limits on access to the
accumulated data. That sounds nice, but it won't fix the problem, not
even slightly, even supposing that the government obeys the rules.
(The NSA has misled the FISA court, which said it
was unable
to effectively hold the NSA accountable.) Suspicion of a crime
will be grounds for access, so once a whistleblower is accused of
“espionage,” finding the “spy” will provide an
excuse to access the accumulated material.

Surveillance data will always be used for other purposes, even if
this is prohibited. Once the data has been accumulated and the state
has the possibility of access to it, it can misuse that data in
dreadful ways, as shown by examples
from Europe
and the
US .

Total surveillance accessible to the state enables the state to
launch a massive fishing expedition against any person. To make
journalism and democracy safe, we must limit the accumulation of data
that is easily accessible to the state.

Robust Protection for Privacy Must Be Technical

The Electronic Frontier Foundation and other organizations propose
a set of legal principles designed to prevent the
abuses of massive surveillance. These principles include,
crucially, explicit legal protection for whistleblowers; as a
consequence, they would be adequate for protecting democratic
freedoms—if adopted completely and enforced without exception
forever.

However, such legal protections are precarious: as recent history
shows, they can be repealed (as in the FISA Amendments Act),
suspended, or ignored.

Meanwhile, demagogues will cite the usual excuses as grounds for
total surveillance; any terrorist attack, even one that kills just a
handful of people, can be hyped to provide an opportunity.

If limits on access to the data are set aside, it will be as if
they had never existed: years worth of dossiers would suddenly become
available for misuse by the state and its agents and, if collected by
companies, for their private misuse as well. If, however, we stop the
collection of dossiers on everyone, those dossiers won't exist, and
there will be no way to compile them retroactively. A new illiberal
regime would have to implement surveillance afresh, and it would only
collect data starting at that date. As for suspending or momentarily
ignoring this law, the idea would hardly make sense.

First, Don't Be Foolish

To have privacy, you must not throw it away: the first one who has
to protect your privacy is you. Avoid identifying yourself to web
sites, contact them with Tor, and use browsers that block the schemes
they use to track visitors. Use the GNU Privacy Guard to encrypt the
contents of your email. Pay for things with cash.

Keep your own data; don't store your data in a company's
“convenient” server. It's safe, however, to entrust a
data backup to a commercial service, provided you put the files in an
archive and encrypt the whole archive, including the names of the
files, with free software on your own computer before uploading
it.

For privacy's sake, you must avoid nonfree software since, as a
consequence of giving others control of your computing, it
is likely to spy
on you.
Avoid service
as a software substitute; in addition to giving others control of how your
computing is done, it requires you to hand over all the pertinent data to the
server.

Protect your friends' and acquaintances' privacy,
too. Don't
give out their personal information except how to contact them,
and never give any web site your list of email or phone contacts.
Don't tell a company such as Facebook anything about your friends that
they might not wish to publish in a newspaper. Better yet, don't be
used by Facebook at all. Reject communication systems that require
users to give their real names, even if you are going to give yours,
since they pressure other people to surrender their privacy.

Self-protection is essential, but even the most rigorous
self-protection is insufficient to protect your privacy on or from
systems that don't belong to you. When we communicate with others or
move around the city, our privacy depends on the practices of society.
We can avoid some of the systems that surveil our communications and
movements, but not all of them. Clearly, the better solution is to
make all these systems stop surveilling people other than legitimate
suspects.

We Must Design Every System for Privacy

If we don't want a total surveillance society, we must consider
surveillance a kind of social pollution, and limit the surveillance
impact of each new digital system just as we limit the environmental
impact of physical construction.

For example: “smart” meters for electricity are touted
for sending the power company moment-by-moment data about each
customer's electric usage, including how usage compares with users in
general. This is implemented based on general surveillance, but does
not require any surveillance. It would be easy for the power company
to calculate the average usage in a residential neighborhood by
dividing the total usage by the number of subscribers, and send that
to the meters. Each customer's meter could compare her usage, over
any desired period of time, with the average usage pattern for that
period. The same benefit, with no surveillance!

We need to design such privacy into all our digital systems.

Remedy for Collecting Data: Leaving It Dispersed

One way to make monitoring safe for privacy is
to keep the data dispersed and inconvenient to
access. Old-fashioned security cameras were no threat to privacy(*).
The recording was stored on the premises, and kept for a few weeks at
most. Because of the inconvenience of accessing these recordings, it
was never done massively; they were accessed only in the places where
someone reported a crime. It would not be feasible to physically
collect millions of tapes every day and watch them or copy them.

Nowadays, security cameras have become surveillance cameras: they
are connected to the Internet so recordings can be collected in a data
center and saved forever. This is already dangerous, but it is going
to get worse. Advances in face recognition may bring the day when
suspected journalists can be tracked on the street all the time to see
who they talk with.

Internet-connected cameras often have lousy digital security
themselves, which
means anyone
can watch what those cameras see. This makes internet-connected
cameras a major threat to security as well as privacy. For privacy's
sake, we should ban the use of Internet-connected cameras aimed where
and when the public is admitted, except when carried by people.
Everyone must be free to post photos and video recordings
occasionally, but the systematic accumulation of such data on the
Internet must be limited.

*I assume here that the security
camera points at the inside of a store, or at the street. Any camera
pointed at someone's private space by someone else violates privacy,
but that is another issue.

Remedy for Internet Commerce Surveillance

Most data collection comes from people's own digital activities.
Usually the data is collected first by companies. But when it comes
to the threat to privacy and democracy, it makes no difference whether
surveillance is done directly by the state or farmed out to a
business, because the data that the companies collect is
systematically available to the state.

The goal of making journalism and democracy safe therefore requires
that we reduce the data collected about people by any organization,
not just by the state. We must redesign digital systems so that they
do not accumulate data about their users. If they need digital data
about our transactions, they should not be allowed to keep them more
than a short time beyond what is inherently necessary for their
dealings with us.

One of the motives for the current level of surveillance of the
Internet is that sites are financed through advertising based on
tracking users' activities and propensities. This converts a mere
annoyance—advertising that we can learn to ignore—into a
surveillance system that harms us whether we know it or not.
Purchases over the Internet also track their users. And we are all
aware that “privacy policies” are more excuses to violate
privacy than commitments to uphold it.

We could correct both problems by adopting a system of anonymous
payments—anonymous for the payer, that is. (We don't want to
help the payee dodge
taxes.) Bitcoin
is not anonymous, though there are efforts to develop ways to pay
anonymously with Bitcoin. However, technology
for digital
cash was first developed in the 1980s; the GNU software for doing
this is called GNU Taler. Now we need
only suitable business arrangements, and for the state not to obstruct
them.

Another possible method for anonymous payments would
use prepaid
phone cards. It is less convenient, but very easy to
implement.

A further threat from sites' collection of personal data is that
security breakers might get in, take it, and misuse it. This includes
customers' credit card details. An anonymous payment system would end
this danger: a security hole in the site can't hurt you if the site
knows nothing about you.

Remedy for Travel Surveillance

We must convert digital toll collection to anonymous payment (using
digital cash, for instance). License-plate recognition systems
recognize all license plates, and
the data
can be kept indefinitely; they should be required by law to notice
and record only those license numbers that are on a list of cars
sought by court orders. A less secure alternative would record all
cars locally but only for a few days, and not make the full data
available over the Internet; access to the data should be limited to
searching for a list of court-ordered license-numbers.

It is acceptable to have a list of people whose person and luggage
will be searched with extra care, and anonymous passengers on domestic
flights could be treated as if they were on this list. It is also
acceptable to bar non-citizens, if they are not permitted to enter the
country at all, from boarding flights to the country. This ought to
be enough for all legitimate purposes.

Many mass transit systems use some kind of smart cards or RFIDs for
payment. These systems accumulate personal data: if you once make the
mistake of paying with anything but cash, they associate the card
permanently with your name. Furthermore, they record all travel
associated with each card. Together they amount to massive
surveillance. This data collection must be reduced.

Navigation services do surveillance: the user's computer tells the
map service the user's location and where the user wants to go; then
the server determines the route and sends it back to the user's
computer, which displays it. Nowadays, the server probably records
the user's locations, since there is nothing to prevent it. This
surveillance is not inherently necessary, and redesign could avoid it:
free/libre software in the user's computer could download map data for
the pertinent regions (if not downloaded previously), compute the
route, and display it, without ever telling anyone where the user is
or wants to go.

Systems for borrowing bicycles, etc., can be designed so that the
borrower's identity is known only inside the station where the item
was borrowed. Borrowing would inform all stations that the item is
“out,” so when the user returns it at any station (in
general, a different one), that station will know where and when that
item was borrowed. It will inform the other station that the item is
no longer “out.” It will also calculate the user's bill,
and send it (after waiting some random number of minutes) to
headquarters along a ring of stations, so that headquarters would not
find out which station the bill came from. Once this is done, the
return station would forget all about the transaction. If an item
remains “out” for too long, the station where it was
borrowed can inform headquarters; in that case, it could send the
borrower's identity immediately.

Unmonitored communication is impossible where systems create such
dossiers. So it should be illegal to create or keep them. ISPs and
phone companies must not be allowed to keep this information for very
long, in the absence of a court order to surveil a certain party.

This solution is not entirely satisfactory, because it won't
physically stop the government from collecting all the information
immediately as it is generated—which is what
the U.S. does
with some or all phone companies. We would have to rely on
prohibiting that by law. However, that would be better than the
current situation, where the relevant law (the PAT RIOT Act) does not
clearly prohibit the practice. In addition, if the government did
resume this sort of surveillance, it would not get data about
everyone's phone calls made prior to that time.

For privacy about who you exchange email with, a simple partial
solution is for you and others to use email services in a country that
would never cooperate with your own government, and which communicate
with each other using encryption. However, Ladar Levison (owner of
the mail service Lavabit that US surveillance sought to corrupt
completely) has a more sophisticated idea for an encryption system
through which your email service would know only that you sent mail to
some user of my email service, and my email service would know only
that I received mail from some user of your email service, but it
would be hard to determine that you had sent mail to me.

But Some Surveillance Is Necessary

For the state to find criminals, it needs to be able to investigate
specific crimes, or specific suspected planned crimes, under a court
order. With the Internet, the power to tap phone conversations would
naturally extend to the power to tap Internet connections. This power
is easy to abuse for political reasons, but it is also necessary.
Fortunately, this won't make it possible to find whistleblowers after
the fact, if (as I recommend) we prevent digital systems from accumulating
massive dossiers before the fact.

Individuals with special state-granted power, such as police,
forfeit their right to privacy and must be monitored. (In fact,
police have their own jargon term for perjury,
“testilying,”
since they do it so frequently, particularly about protesters
and photographers.)
One city in California that required police to wear video cameras all
the time
found their
use of force fell by 60%. The ACLU is in favor of this.

Corporations
are not people, and not entitled to human rights. It is
legitimate to require businesses to publish the details of processes
that might cause chemical, biological, nuclear, fiscal, computational
(e.g., DRM) or political
(e.g., lobbying) hazards to society, to whatever level is needed for
public well-being. The danger of these operations (consider the BP
oil spill, the Fukushima meltdowns, and the 2008 fiscal crisis) dwarfs
that of terrorism.

However, journalism must be protected from surveillance even when
it is carried out as part of a business.

Digital technology has brought about a tremendous increase in the
level of surveillance of our movements, actions, and communications.
It is far more than we experienced in the 1990s, and far
more than people behind the Iron Curtain experienced in the 1980s,
and proposed legal limits on state use of the accumulated data would
not alter that.

Companies are designing even more intrusive surveillance. Some
project that pervasive surveillance, hooked to companies such as
Facebook, could have deep effects on how
people think. Such possibilities are imponderable; but the threat
to democracy is not speculation. It exists and is visible today.

Unless we believe that our free countries previously suffered from
a grave surveillance deficit, and ought to be surveilled more than the
Soviet Union and East Germany were, we must reverse this increase.
That requires stopping the accumulation of big data about people.